{"id":"073ca74c-c143-4025-ad8d-01d392bb93d0","task":"Verify a reproducible build by independently rebuilding an artifact and comparing digests","domain":"reproducible-builds.org","steps":["Obtain the official build artifact and its published digest from the upstream release","Set up an independent build environment that matches the declared build toolchain, OS, and configuration as closely as possible","Run the build using the same source commit and build instructions, ensuring timestamps and environment variables that affect output are neutralized","Compute the digest of the locally produced artifact and compare it to the published digest","If digests differ, use diffoscope to compare the two artifacts and identify the source of non-determinism","Report reproducibility status and any identified non-determinism issues to the upstream project"],"gotchas":["Many build tools embed timestamps, host paths, or random identifiers by default; a build is not reproducible until all such sources of non-determinism are explicitly controlled","Reproducibility verification requires an exact match of the build environment (compiler version, OS libraries, locale settings); even minor version differences in build tools can change the output","A matching digest proves the artifact was built from the declared source with the declared toolchain, but it does not prove the source itself is free of malicious code"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/073ca74c-c143-4025-ad8d-01d392bb93d0"}